UK data protection law changes 2026: what changed on 5 February 2026 (and what to do next)

  • On 5 February 2026, the UK’s latest data protection reforms moved from “coming soon” to live law.

  • If your organisation handles personal data, uses cookies, runs marketing, or uses AI for decisions, this matters.

  • This post explains what changed, when it came into force, and who might be affected. It also includes a simple “do-this-now” checklist.


What law changed, and the exact date it changed

  • The reforms sit in the Data (Use and Access) Act 2025 (DUAA).
  • The Act received Royal Assent on 19 June 2025.
  • Most of the remaining data protection provisions commenced on 5 February 2026.
  • This happened after the government brought forward the Commencement No. 6 Regulations to switch on the main package.
  • One key item is not live yet: a complaints procedure requirement is due to start on 19 June 2026.
  • Some changes to ICO governance will follow later.

What actually changed (in plain English)

These reforms mainly update how the UK GDPR, the Data Protection Act 2018, and PECR work in practice.
Here are the changes most organisations will notice first:

  • “Recognised legitimate interests”: a new concept that can reduce the paperwork of a full balancing test for specific purposes.
  • Automated decision-making (ADM): the rules shift towards permitting ADM with safeguards, rather than treating it as broadly prohibited.
  • Subject access requests (SARs/DSARs): clearer rules on “reasonable and proportionate” searches and “stop the clock” when clarification is needed.
  • Cookies and direct marketing (PECR): higher enforcement risk, plus changes in how cookie rules apply.
  • Bigger ICO powers under PECR: including fines up to £17.5m or 4% of global turnover.

Practical Impact for You – the changes in more detail

Change 1: “Recognised legitimate interests” (less admin, same responsibility)

The DUAA introduces the concept of recognised legitimate interests. This is designed to give a presumption of legitimacy for certain types of processing. Examples mentioned include direct marketing, intra‑group transfers for internal administration, and network and information systems security. Public-interest examples are also referenced, such as crime prevention, public security, safeguarding, and emergency response.

What should you do?

Update privacy notices and records of processing. This is a chance to simplify. It is not a “free pass.”

Change 2: Automated decision-making (AI and “computer says no” decisions)

From 5 February 2026, the UK’s ADM approach becomes more permissive, but with safeguards. The law points toward allowing ADM where organisations put protections in place., with such requirements such as allowing people to make representations, obtain meaningful human intervention, and challenge solely automated decisions. It also flags the need to provide meaningful information about how the ADM system operates when asked. If AI is used in recruitment, credit, pricing, fraud checks, or customer screening, this is a “pause and review” moment.

Change 3: DSARs (subject access) get clearer “rules of the road”

DSARs can feel like a fire drill. The DUAA makes the expectations clearer. It clarifies that searches are limited to “reasonable and proportionate” steps. It also codifies “stop the clock” where more information is reasonably required to respond. This is good news for teams drowning in scattered systems and mailbox hunts, but it still rewards organisations with strong data mapping and retention discipline.

Change 4: Cookies and PECR enforcement just got riskier

A big practical shift is enforcement under PECR (cookies and electronic marketing rules). The ICO states it can now issue PECR fines up to £17.5 million or 4% of global turnover. That aligns PECR penalty levels with UK GDPR-style ceilings. The ICO also highlights new powers, including compelling witness interviews and requesting technical reports. If your website uses cookies, tags, pixels, or consent banners, treat this as board-level risk, not a design tweak.


When did these changes come into force (and what’s next)?

Dates for compliance planning:

  • 19 June 2025: DUAA received Royal Assent.
  • 5 February 2026: most remaining DUAA data protection provisions came into force.
  • 19 June 2026: the requirement to have a complaints procedure is due to commence.
  • Later date: further ICO governance provisions will follow.

Who might be affected? (Spoiler: most organisations)

You are likely affected if you do any of the following:

  • You process personal data in the UK
    • Most organisations fall here, including SMEs, charities, and professional services.

 

  • You use AI or rules engines to make decisions
    • If you use automated scoring, filtering, or profiling, review the ADM safeguards.

 

  • You run marketing or rely on cookies
    • PECR enforcement risk is higher now, and cookie rules are in the reform package.

 

  • You handle DSARs
    • The clarified standards may change how you scope searches and timelines.

 

  • You operate across the UK and EU
    • Organisations may need to navigate other regimes when operating in both regions, including EU GDPR and the EU AI Act for certain “high risk” AI systems.

What should you do now? A practical checklist

This is the part that protects trust. It also reduces surprises later.

1) Update your legal basis documentation

Check where “recognised legitimate interests” could apply.
Update privacy notices and records if required.

2) Review automated decisions and AI workflows

Map where ADM happens. Identify who can provide human intervention.
Ensure “meaningful information” can be given on request.

3) Tighten DSAR playbooks

Align procedures to “reasonable and proportionate” searches.
Use “stop the clock” appropriately when clarification is genuinely needed.

4) Treat cookies and PECR as a priority risk

Re-check consent banners, tags, and marketing workflows.
Brief leadership on the PECR fine ceiling and new ICO powers.

5) Get ready for June 2026

Plan and implement a complaints procedure ahead of 19 June 2026.


Final Thoughts

These reforms are not only about compliance. They are about confidence. Every new tool, pixel, and model changes how customers judge trust. If you privacy is treated as a relationship, not a checkbox, the law becomes easier to live with.


✅ Take Action Now

Contact Cyber & Data Protection today to discover how our tailored data protection solutions to help with polices/processes and extensive Managed Data Protection services can keep your business within compliance.

📧 Email: [email protected]
📞 Call: +44 1743 644404

Privacy Preference Center